Update to 2023-07-08 16:00

2025-07-27 00:05:44 +02:00 · 2023-07-08 16:00:11 +02:00
parent f16dd6e98d
commit d87c1bdc89
60 changed files with 708 additions and 439 deletions
--- a/roles/nomad/tasks/archive_post.yml
+++ b/roles/nomad/tasks/archive_post.yml
@@ -1,14 +0,0 @@
---
-
- name: Compress previous version
-  command: tar cf {{ nomad_root_dir }}/archives/{{ nomad_current_version }}.tar.zst --use-compress-program=zstd ./
-  args:
-    chdir: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}"
-  environment:
-    ZSTD_CLEVEL: 10
-  tags: nomad
-
- name: Remove archive dir
-  file: path={{ nomad_root_dir }}/archives/{{ nomad_current_version }} state=absent
-  tags: nomad
-
--- a/roles/nomad/tasks/archive_pre.yml
+++ b/roles/nomad/tasks/archive_pre.yml
@@ -1,29 +0,0 @@
---
-
- name: Create the archive dir
-  file: path={{ nomad_root_dir }}/archives/{{ nomad_current_version }} state=directory
-  tags: nomad
-
- name: Snapshot nomad data
-  command: "{{ nomad_root_dir }}/bin/nomad operator snapshot save {{ nomad_root_dir }}/archives/{{ nomad_current_version }}/nomad.snap"
-  args:
-    creates: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}/nomad.snap"
-  when:
-    - nomad_conf.server.enabled
-    - nomad_sys_services.ansible_facts.services['nomad.service'] is defined
-    - nomad_sys_services.ansible_facts.services['nomad.service'].state == 'started'
-  environment:
-    NOMAD_TOKEN: "{{ nomad_mgm_token | default(omit) }}"
-  tags: nomad
-
- name: Backup previous version
-  synchronize:
-    src: "{{ nomad_root_dir }}/{{ item }}"
-    dest: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}/"
-    compress: False
-  delegate_to: "{{ inventory_hostname }}"
-  loop:
-    - bin
-    - plugins
-  tags: nomad
-
--- a/roles/nomad/tasks/cleanup.yml
+++ b/roles/nomad/tasks/cleanup.yml
@@ -3,8 +3,7 @@
 - name: Remove tmp and obsolete files
  file: path={{ item }} state=absent
  loop:
-    - "{{ nomad_root_dir }}/tmp/nomad_{{ nomad_version }}_linux_amd64.zip"
-    - "{{ nomad_root_dir }}/tmp/nomad"
+    - "{{ nomad_root_dir }}/archives"
  tags: nomad

 - name: Remove temporary plugin files
--- a/roles/nomad/tasks/conf.yml
+++ b/roles/nomad/tasks/conf.yml
@@ -5,8 +5,7 @@
  vars:
    cert_path: "{{ nomad_conf.tls.cert_file }}"
    cert_key_path: "{{ nomad_conf.tls.key_file }}"
-    cert_key_group: "{{ nomad_user }}"
-    cert_key_mode: 640
+    cert_key_mode: omit
  tags: nomad

 - name: Check if CA exists
@@ -26,8 +25,7 @@
      vars:
        cert_path: "{{ nomad_conf.consul.cert_file }}"
        cert_key_path: "{{ nomad_conf.consul.key_file }}"
-        cert_key_group: "{{ nomad_user }}"
-        cert_key_mode: 640
+        cert_key_mode: omit
      tags: nomad

    - name: Check if CA exists
@@ -113,27 +111,67 @@
  loop: "{{ nomad_backup_configs.stdout_lines }}"
  tags: nomad

- name: Deploy consul-template config
-  template: src=consul-template.hcl.j2 dest={{ nomad_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.tokens.enabled
-  tags: nomad
-
- name: Deploy consul-template agent bundle template
-  template: src=agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.pki.enabled
-  tags: nomad
-
- name: Deploy consul-template cli bundle template
-  template: src=cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.pki.enabled and nomad_conf.server.enabled
-  tags: nomad
+#- name: Deploy vault-agent config
+#  template: src=vault/agent.hcl.j2 dest={{ nomad_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ nomad_user }}
+#  notify: restart nomad-vault-agent
+#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
+#  tags: nomad
+#
+#- name: Deploy agent cert bundle template
+#  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
+#  notify: restart nomad-vault-agent
+#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
+#  tags: nomad
+#  
+#- name: Deploy cli cert bundle template
+#  template: src=vault/cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/cli_bundle.pem.tpl owner=root group=root
+#  notify: restart nomad-vault-agent
+#  when: (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled) and nomad_conf.server.enabled
+#  tags: nomad
+#
+#- name: Deploy consul token template
+#  template: src=vault/consul_token.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/consul_token.tpl owner=root group=root
+#  notify: restart nomad-vault-agent
+#  when: (nomad_vault_agent.consul_token.enabled) and nomad_conf.server.enabled
+#  tags: nomad
+#
+#- fail: msg="Only one of token or approle should be configured"
+#  when:
+#    - nomad_vault_agent.auth.approle is defined
+#    - nomad_vault_agent.auth.token is defined
+#  tags: nomad
+#
+#- name: Setup AppRole auth
+#  block:
+#    - copy: content={{ nomad_vault_agent.auth.approle.role_id }} dest={{ nomad_root_dir }}/vault/role_id owner=root group={{ nomad_user }} mode=640
+#    - copy: content={{ nomad_vault_agent.auth.approle.secret_id }} dest={{ nomad_root_dir }}/vault/secret_id owner=root group={{ nomad_user }} mode=640
+#    - file: path={{ nomad_root_dir }}/vault/token state=absent
+#  when:
+#    - nomad_vault_agent.auth is defined
+#    - nomad_vault_agent.auth.approle is defined
+#    - nomad_vault_agent.auth.approle.role_id is defined
+#    - nomad_vault_agent.auth.approle.secret_id is defined
+#  tags: nomad
+#
+#- name: Setup Token auth
+#  block:
+#    - copy: content={{ nomad_vault_agent.auth.token }} dest={{ nomad_root_dir }}/vault/token owner=root group={{ nomad_user }} mode=640
+#    - file: path={{ nomad_root_dir }}/vault/role_id state=absent
+#    - file: path={{ nomad_root_dir }}/vault/secret_id state=absent
+#  when:
+#    - nomad_vault_agent.auth is defined
+#    - nomad_vault_agent.auth.token is defined
+#  tags: nomad

 - name: Set ACL on the TLS dir
  shell: |
-    setfacl -R -k -b {{ nomad_root_dir }}/tls
+    setfacl -R -b -k {{ nomad_root_dir }}/tls
+    chown -R :{{ nomad_user }} {{ nomad_root_dir }}/tls
+    chmod 750 {{ nomad_root_dir }}/tls
+    chmod 640 {{ nomad_root_dir }}/tls/*
+    setfacl -m u:{{ nomad_user }}:rx {{ nomad_root_dir }}/tls
+    setfacl -m d:u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls
+    setfacl -m u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls/*
    {% if nomad_admin_groups | length > 0 %}
    setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
    setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
@@ -147,12 +185,6 @@
  template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
  tags: nomad

- name: Deploy consul-template consul cert templates
-  template: src=consul_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl
-  tags: nomad
-
 - name: Ensure the bridge module is loaded
  modprobe: name=bridge state=present
  when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
--- a/roles/nomad/tasks/directories.yml
+++ b/roles/nomad/tasks/directories.yml
@@ -7,10 +7,6 @@
      owner: root
      group: root
      mode: 755
-    - dir: archives
-      owner: root
-      group: root
-      mode: 700
    - dir: backup
      owner: root
      group: root
@@ -37,8 +33,11 @@
      owner: root
      mode: 755
    - dir: tls
-      owner: root
-      mode: 755
-    - dir: consul-template
-      mode: 755
  tags: nomad
+
+- name: Create host_volume directories
+  file: path={{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop: "{{ nomad_conf.client.host_volumes | default([]) }}"
+  when: item.create | default(False)
+  tags: nomad
+
--- a/roles/nomad/tasks/facts.yml
+++ b/roles/nomad/tasks/facts.yml
@@ -1,28 +1,6 @@
 ---

-# Load distribution specific variables
- include_vars: "{{ item }}"
-  with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
-  tags: nomad
-
- set_fact: nomad_install_mode='none'
-  tags: nomad
-
- name: Detect if nomad is installed
-  stat: path=/usr/local/bin/nomad
-  register: nomad_bin
-  tags: nomad
-
- when: not nomad_bin.stat.exists
-  set_fact: nomad_install_mode='install'
-  tags: nomad
-
- when: nomad_bin.stat.exists
-  block:
+- block:
    - name: Detect installed version
      shell: /usr/local/bin/nomad version | perl -ne '/Nomad v(\d+(\.\d+)*)\s.*/ && print "$1\n"'
      changed_when: False
@@ -30,15 +8,11 @@
    - set_fact: nomad_current_version={{ nomad_current_version.stdout }}
  tags: nomad

- when: nomad_bin.stat.exists and nomad_current_version != nomad_version
-  set_fact: nomad_install_mode='upgrade'
-  tags: nomad
-
 - name: Build a list of enabled task drivers
  set_fact: nomad_enabled_task_drivers={{ nomad_conf.client.task_drivers | dict2items | selectattr('value.enabled', 'equalto', True) | map(attribute='key') }}
  tags: nomad

- name: Check the state of the services
-  service_facts:
-  register: nomad_sys_services
+- name: Check if the consul-template service still exists
+  stat: path=/etc/systemd/system/consul-template-nomad
+  register: nomad_ct_service
  tags: nomad
--- a/roles/nomad/tasks/install.yml
+++ b/roles/nomad/tasks/install.yml
@@ -1,10 +1,5 @@
 ---

- name: Install needed tools
-  package:
-    name: "{{ nomad_packages }}"
-  tags: nomad
-
 - name: Install task driver packages
  package: name={{ nomad_task_driver_packages[item] }}
  loop: "{{ nomad_enabled_task_drivers }}"
@@ -12,43 +7,20 @@
  notify: restart nomad
  tags: nomad

- when: nomad_install_mode == 'upgrade'
-  name: Clear plugin dir on upgrades
-  file: path={{ nomad_root_dir }}/plugins state={{ item }} owner={{ nomad_user }} group={{ nomad_user }}
-  loop:
-    - absent
-    - directory
+- name: Deploy systemd service unit
+  template: src=nomad.service.j2 dest=/etc/systemd/system/nomad.service
+  register: nomad_unit
+  notify: restart nomad
  tags: nomad

- when: nomad_install_mode != 'none'
+- when: nomad_conf.client.enabled and nomad_unit.changed
  block:
-    - name: Download nomad
-      get_url:
-        url: "{{ nomad_archive_url }}"
-        dest: "{{ nomad_root_dir }}/tmp"
-        checksum: sha256:{{ nomad_archive_sha256 }}

-    - name: Extract the archive
-      unarchive:
-        src: "{{ nomad_root_dir }}/tmp/nomad_{{ nomad_version }}_linux_amd64.zip"
-        dest: "{{ nomad_root_dir }}/tmp"
-        remote_src: True
-
-    - name: Install nomad binary
-      copy:
-        src: "{{ nomad_root_dir }}/tmp/nomad"
-        dest: "{{ nomad_root_dir }}/bin/nomad"
-        remote_src: True
-        mode: 755
-      notify: restart nomad
-
-    - name: Link in /usr/local/bin
-      file: src={{ nomad_root_dir }}/bin/nomad dest=/usr/local/bin/nomad state=link force=True
-
-  tags: nomad
-
- when: nomad_install_mode != 'none' and nomad_conf.client.enabled
-  block:
+    - name: Clear plugin dir on upgrades
+      file: path={{ nomad_root_dir }}/plugins state={{ item }} owner={{ nomad_user }} group={{ nomad_user }}
+      loop:
+        - absent
+        - directory

    - name: Download plugins
      get_url:
@@ -100,24 +72,11 @@
 - name: Install bash completion support
  copy:
    content: |
-      complete -C {{ nomad_root_dir }}/bin/nomad nomad
+      complete -C /usr/local/bin/nomad nomad
    dest: /etc/bash_completion.d/nomad
    mode: 0644
  tags: nomad

- name: Deploy systemd service unit
-  template: src=nomad.service.j2 dest=/etc/systemd/system/nomad.service
-  register: nomad_unit
-  notify: restart nomad
-  tags: nomad
-
- name: Install consul-template unit
-  template: src=consul-template-nomad.service.j2 dest=/etc/systemd/system/consul-template-nomad.service
-  register: nomad_consul_tpl_unit
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled
-  tags: nomad
-
 - name: Install backup hooks
  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755
  loop:
@@ -125,14 +84,21 @@
    - post
  tags: nomad

+# A tmpfs will be used to store tokens and other sensitive information
 - name: Create tmpfile fragment
  copy:
    content: |
      d /run/nomad 775 root {{ nomad_user }}
    dest: /etc/tmpfiles.d/nomad.conf
-  notify: systemd-tmpfiles
+  register: nomad_tmpfiles
  tags: nomad

+- name: Create tmpfiles
+  command: systemd-tmpfiles --create
+  when: nomad_tmpfiles.changed
+  tags: nomad
+
+# This script cleanups leftovers in iptables rules on boot
 - name: Install iptables cleanup script
  copy: src=iptables_cleanup.pl dest={{ nomad_root_dir }}/bin/iptables_cleanup.pl mode=755
  tags: nomad
@@ -144,7 +110,7 @@

 - name: Reload systemd
  systemd: daemon_reload=True
-  when: nomad_unit.changed or nomad_ipt_cleanup_unit.changed or (nomad_consul_tpl_unit is defined and nomad_consul_tpl_unit.changed)
+  when: nomad_unit.changed or nomad_ipt_cleanup_unit.changed
  tags: nomad

 # This is needed for containers to be able to reach their own services through the host published port
@@ -152,8 +118,3 @@
  copy: src=50-nomad-promisc dest=/etc/NetworkManager/dispatcher.d/50-nomad-promisc mode=755
  tags: nomad

- name: Create host_volume directories
-  file: path={{ item.path }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
-  loop: "{{ nomad_conf.client.host_volumes | default([]) }}"
-  when: item.create | default(False)
-  tags: nomad
--- a/roles/nomad/tasks/main.yml
+++ b/roles/nomad/tasks/main.yml
@@ -10,10 +10,6 @@
 - include_tasks: facts.yml
  tags: always

- include_tasks: archive_pre.yml
-  when: nomad_install_mode | default('none') == 'upgrade'
-  tags: always
-
 - include_tasks: install.yml
  tags: always

@@ -27,10 +23,6 @@
 - include_tasks: services.yml
  tags: always

- include_tasks: archive_post.yml
-  when: nomad_install_mode | default('none') == 'upgrade'
-  tags: always
-
 - include_tasks: cleanup.yml
  tags: always

--- a/roles/nomad/tasks/services.yml
+++ b/roles/nomad/tasks/services.yml
@@ -8,8 +8,9 @@
 - name: Handle consul-template-nomad service
  service:
    name: consul-template-nomad
-    state: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary('started', 'stopped') }}"
-    enabled: "{{ (nomad_vault_secrets.pki.enabled or nomad_vault_secrets.consul_pki.enabled or nomad_vault_secrets.tokens.enabled) | ternary(True, False) }}"
+    state: stopped
+    enabled: False
+  when: nomad_ct_service.stat.exists
  tags: nomad

 - name: Handle iptables-nomad-cleanup service
@@ -17,3 +18,11 @@
    name: iptables-nomad-cleanup
    enabled: "{{ (nomad_conf.client.enabled and iptables_manage | default(True)) | ternary(True, False) }}"
  tags: nomad
+
+#- name: Handle nomad-vault-agent service
+#  service:
+#    name: nomad-vault-agent
+#    state: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary('started', 'stopped') }}"
+#    enabled: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary(True, False) }}"
+#  tags: nomad
+